1323136Sdes# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ 299051Sdes# $FreeBSD: stable/11/crypto/openssh/sshd_config 323136 2017-09-02 23:39:51Z des $ 357429Smarkm 498684Sdes# This is the sshd server system-wide configuration file. See 598684Sdes# sshd_config(5) for more information. 676262Sgreen 798941Sdes# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 898941Sdes 992559Sdes# The strategy used for options in the default sshd_config shipped with 1092559Sdes# OpenSSH is to specify options with their default value where 11226046Sdes# possible, but leave them commented. Uncommented options override the 1292559Sdes# default value. 1392559Sdes 1499051Sdes# Note that some of FreeBSD's defaults differ from OpenBSD's, and 1599051Sdes# FreeBSD has a few additional options. 1699051Sdes 1792559Sdes#Port 22 18147005Sdes#AddressFamily any 1957429Smarkm#ListenAddress 0.0.0.0 2057429Smarkm#ListenAddress :: 2169591Sgreen 22181111Sdes#HostKey /etc/ssh/ssh_host_rsa_key 2392559Sdes#HostKey /etc/ssh/ssh_host_dsa_key 24221420Sdes#HostKey /etc/ssh/ssh_host_ecdsa_key 25261320Sdes#HostKey /etc/ssh/ssh_host_ed25519_key 2657429Smarkm 27255767Sdes# Ciphers and keying 28255767Sdes#RekeyLimit default none 29255767Sdes 3057429Smarkm# Logging 3192559Sdes#SyslogFacility AUTH 3292559Sdes#LogLevel INFO 3357429Smarkm 3492559Sdes# Authentication: 3592559Sdes 36124211Sdes#LoginGraceTime 2m 37295139Sdes#PermitRootLogin no 3892559Sdes#StrictModes yes 39137019Sdes#MaxAuthTries 6 40181111Sdes#MaxSessions 10 4192559Sdes 4292559Sdes#PubkeyAuthentication yes 4392559Sdes 44226046Sdes# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 45323136Sdes# but this is overridden so installations will only check .ssh/authorized_keys 46323136SdesAuthorizedKeysFile .ssh/authorized_keys 47226046Sdes 48240075Sdes#AuthorizedPrincipalsFile none 49240075Sdes 50248619Sdes#AuthorizedKeysCommand none 51248619Sdes#AuthorizedKeysCommandUser nobody 52248619Sdes 5392559Sdes# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 5492559Sdes#HostbasedAuthentication no 5592559Sdes# Change to yes if you don't trust ~/.ssh/known_hosts for 56323134Sdes# HostbasedAuthentication 5792559Sdes#IgnoreUserKnownHosts no 58124211Sdes# Don't read the user's ~/.rhosts and ~/.shosts files 59124211Sdes#IgnoreRhosts yes 6057429Smarkm 61126009Sdes# Change to yes to enable built-in password authentication. 62126009Sdes#PasswordAuthentication no 6392559Sdes#PermitEmptyPasswords no 6476262Sgreen 6599315Sdes# Change to no to disable PAM authentication 6695456Sdes#ChallengeResponseAuthentication yes 6757429Smarkm 6892559Sdes# Kerberos options 6998684Sdes#KerberosAuthentication no 7057429Smarkm#KerberosOrLocalPasswd yes 7192559Sdes#KerberosTicketCleanup yes 72126277Sdes#KerberosGetAFSToken no 7357429Smarkm 74124211Sdes# GSSAPI options 75124211Sdes#GSSAPIAuthentication no 76126277Sdes#GSSAPICleanupCredentials yes 7757429Smarkm 78162856Sdes# Set this to 'no' to disable PAM authentication, account processing, 79261320Sdes# and session processing. If this is enabled, PAM authentication will 80162856Sdes# be allowed through the ChallengeResponseAuthentication and 81162856Sdes# PasswordAuthentication. Depending on your PAM configuration, 82162856Sdes# PAM authentication via ChallengeResponseAuthentication may bypass 83162856Sdes# the setting of "PermitRootLogin without-password". 84162856Sdes# If you just want the PAM account and session checks to run without 85162856Sdes# PAM authentication, then enable this but set PasswordAuthentication 86162856Sdes# and ChallengeResponseAuthentication to 'no'. 87127033Sdes#UsePAM yes 8892559Sdes 89181111Sdes#AllowAgentForwarding yes 90124211Sdes#AllowTcpForwarding yes 91124211Sdes#GatewayPorts no 9299051Sdes#X11Forwarding yes 9392559Sdes#X11DisplayOffset 10 9492559Sdes#X11UseLocalhost yes 95261320Sdes#PermitTTY yes 9692559Sdes#PrintMotd yes 9792559Sdes#PrintLastLog yes 98126277Sdes#TCPKeepAlive yes 99106130Sdes#PermitUserEnvironment no 100149753Sdes#Compression delayed 101124211Sdes#ClientAliveInterval 0 102124211Sdes#ClientAliveCountMax 3 103294909Sdes#UseDNS yes 104124211Sdes#PidFile /var/run/sshd.pid 105248619Sdes#MaxStartups 10:30:100 106157019Sdes#PermitTunnel no 107181111Sdes#ChrootDirectory none 108305476Slidl#UseBlacklist no 109323136Sdes#VersionAddendum FreeBSD-20170903 11065674Skris 11192559Sdes# no default banner path 112181111Sdes#Banner none 11376262Sgreen 11492559Sdes# override default of no subsystems 11576262SgreenSubsystem sftp /usr/libexec/sftp-server 116162856Sdes 117162856Sdes# Example of overriding settings on a per-user basis 118162856Sdes#Match User anoncvs 119162856Sdes# X11Forwarding no 120162856Sdes# AllowTcpForwarding no 121261320Sdes# PermitTTY no 122162856Sdes# ForceCommand cvs server 123